If there are any mailing lists which are more suitable to this discussion, please mention them so we may subscribe to them and discuss this there.
> David Hendricks <[email protected]> hat am 4. Oktober 2018 um 19:00 > geschrieben: > > > On Thu, Oct 4, 2018 at 9:22 AM Patrick Georgi via coreboot < > [email protected]> wrote: > > > But generally speaking: that discussion is rather off topic for this > > mailing list. > > Please look for some more suitable venue to discuss "people potentially > > tampering other people's devices (with no obvious connection to coreboot)". > > > > Patrick is right that the Bloomberg article is not particularly well-suited > for the coreboot mailing list. > > However, it's still worth pointing out that supply chain attacks are a > serious threat. This could be in the form of added hardware (like the > Bloomberg article suggests) or it could be in the form of firmware that > contains malicious code from any of the many parties involved in creating > it. > > Traditionally, firmware contains modules from the silicon vendor, a > software vendor (IBV/ISV) who packages it with their SDK and value-add > software, and ODMs/OEMs who make further product-specific additions. Modern > firmware can easily contain over a million lines (or multiple millions of > lines) of code from several parties, and this code runs at the highest > privilege level before any OS-based security mechanism comes into play. > Anyone in that part of the supply chain can slip in malicious code, and the > customer usually doesn't have any way of viewing the code or tracing where > it came from due to its closed nature. > > That is relevant to coreboot insofar as coreboot has been leading the > charge (with varying levels of success) for open and auditable firmware on > x86 platforms for nearly two decades. > -- > coreboot mailing list: [email protected] > https://mail.coreboot.org/mailman/listinfo/coreboot -- coreboot mailing list: [email protected] https://mail.coreboot.org/mailman/listinfo/coreboot
